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Cookie manager for control of cookie transfer in Internet 
client -server computer systems 

The invention relates to communication in client -server 
5 computer systems, in particular in the Internet, in which 
a server computer sends status information to a client 
computer in the form of a cookie, which the client 
computer stores for later return to the server computer; 
and wherein there are applied methods for recording the 
10 use of a downloaded resource and the actions effected on 
this by the user of the client computer. 

The World Wide Web (web) is the most widespread 
information system in the Internet. The architecture of 
M 15 the web is based on a conventional client-server model, 

whereby the term client or client computer relates to the 
general role of a computer as a requester of data, and the 
rz term server or server computer relates to the general role 

yj of a computer as a provider of data in a network. On the 

|f! 2 0 client side, a web browser (browser) enables access to the 

^ web and to the documents located on the server computers 

: ffl or web servers of the web. A client computer (web client) 

connected to the web communicates with a server computer 
by means of the "Hyper Text Transfer Protocol' 1 (HTTP) . A 
25 browser opens a connection to a server computer and starts 
a request for a document. The server computer delivers the 
requested document typically in the format of a text 
document (web page) coded in "Hyper Text Markup Language" 
(HTML) . After closing of the connection, the server 
30 computer remains passive, i.e. it cannot itself require 
the web client to carry out further action. Thus, the 
possibilities for interactive communication between server 
and client in the web are restricted. However, since the 
end of 1994, a mechanism has existed which allows 
3 5 processes on the server side to store, and also to call 
up, information on the client side. This mechanism is 
described in US 5 774 670. For this purpose, one or more 
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items of status information of the HTTP answer of the 
server are placed in front in the form of a document 
header. These items of status information are generally 
called a cookie. If the user of a client computer, in the 
following called a web user or user, starts a request to a 
server computer of a particular domain, beforehand the 
cookies present on the client computer are checked as to 
whether they belong to this domain and, if appropriate, 
sent with the request to the server computer. 

An HTML document may contain elements which are 
constituted only as a reference to an associated resource 
which is located on a different server computer. If a web 
site configured in this way is called up by the user 
further documents are requested from this and/or other 
server computers, automatically without the user having 
influence on this, whereby the elements provided as a 
reference in the original HTML document are completed. 
Thereby, server computers to which connection was 
established mediated via a reference in the originally 
requested web page can likewise transfer cookies to the 
client. With this, the user looses control over from which 
server computers and for what purposes cookies may be sent 
to his computer, in particular since the transfer and 
storing of the cookies is not visible for the user. 

This property of the cookie mechanism can be used in the 
Internet for the collection of identity- related 
information. Thus, for example, the path of a user through 
the web pages of a particular domain and his behaviour 
therein can be tracked and recorded. The items of 
information obtained in this way can be evaluated in part 
for a user-specific automatic adaptation of the starting 
page or also of the services offered. This makes it 
possible for example for an investment adviser to present 
each of his customers with the prices of the shares in 
which nhe customer concerned has shown particular interest 



in the past, on the first page. Further, e-commerce 
methods are based on the cookie mechanism. Thereby, for 
each item placed in the shopping basket, a cookie is sent 
to the client computer and as soon as the order is to be 
issued, all these cookies are sent back to the server 
computer of the offerer of the items and evaluated for the 
processing of the order. 

Since cookies are only sent back to the domains from which 
they were sent to the client computer, this process gives 
the user the impression of a certain degree of 
trustworthiness, which is not justified since as shown the 
user has no control over the domains from which he 
receives cookies. Advertising groups for example place 
their advertising banners on many popular pages of the 
Internet in accordance with the above -described method. 
This means that the central server of an advertising group 
is now addressed, and can send cookies to the client 
computer, from many different web pages. With each pall of 
a web page having an advertising banner of this 
advertising group there thus follows a request to the 
domain of the central advertising server, with which 
cookies already earlier sent therefrom are returned 
thereto before a new cookie is, possibly, again 
transferred to the client computer with the advertising 
banner. The contents of the cookies sent are stored in a 
data bank of the advertising group and a profile of the 
user produced therefrom. With time, these profiles form a 
meaningful pattern of the activities of the user in the 
Internet, from which the habits and preferences of the 
user can be deduced. From these profiles, as disclosed in 
US 5 991 735 and US 5 918 014, demographic and 
psychographic information concerning the users can be 
derived, on which further actions of the advertising group 
are based, such as e.g. user-specific offers or user- 
specific advertisements. The more different Internet pages 
that have an advertising banner of a particular 



4 



advertising group, the better can the movements of the 
user in the Internet be tracked, and the more 
comprehensive will be the information collected about him. 
With this, the psychogram of the user can be defined ever 
5 more exactly and naturally also more personally. 

Although the usual browsers offer the possibility of 
configuring behaviour in relation to the cookie mechanism, 
this can only be done to a very restricted extent . In 
10 particular they offer no possibility of configuring the 
exchange of cookies to be transparent. The cookie 
mechanism can be deactivated, - but if this is done for 
example a movement in domains having restricted access and 
also e-commerce is prevented. In particular, the 

KISS. 

M 15 possibilities offered by browser settings do not allow a 

f% 

*S distinction to be made between a transfer of desired or 

\U 

U undesired cookies. 

\y 

l2 It is thus the object of the present invention to, remedy 

|f| 2 0 the above-mentioned disadvantages of the state of the art, 

^ and to make it possible for a user in the Internet to 

control cookie transfer from and to his client computer 
without him having to do without certain of the services 
£f offered via the Internet . In particular it is also an 

25 object of the present invention to make it possible for a 
user in the Internet to avoid the collection of identity- 
related information. 



The object is achieved by means of a method of 
30 administering cookies in an Internet client-server system, 
in which cookies are exchanged per Internet between a 
server computer and a client computer, in which the return 
to the server computer of a cookie stored in the client 
computer, which server computer had put of the cookie in 
35 place, is dependent upon preceding check of the cookie. 

Further, the object is achieved by means of a computer 
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software product for the administration of cookies in an 
Internet client-server system, in which cookies are 
exchanged per Internet between a server computer and a 
client computer, whereby the return of a cookie stored in 
5 a client computer to the server computer which put the 
cookie in place is allowed in dependence upon a preceding 
check of the cookie . 

Further, the object is achieved by means of a client 
10 computer for an Internet client-server system, having an 
interface device for data exchange via the Internet, at 
least one memory device for storing data objects, and an 
administration means for the administration of cookies, 
pi whereby the administration means sends back a cookie 

15 stored in the memory device to the server computer which 
^ put the cookie in place, in dependence upon a preceding 

V* check. 
S| 

^* Advantageous developments are indicated in the respective 

^ 2 0 subclaims. 

^ In accordance with a preferred configuration, the 

■?T administration and checking of cookies stored and to be 

13 stored on the client computer is effected independently of 

^ 25 a browser of the client computer which establishes an 

Internet connection to a server computer. In a further 
preferred configuration a checking of a cookie to the sent 
back can be effected in dependence upon a configurable set 
of conditions in the client computer. Further, it is 
30 particularly advantageous to determine the result of the 
checking of a cookie in dependence upon an evaluation of 
the server computer address associated with the cookie as 
desirable or undesirable, whereby directly selected 
addresses can be set as desirable, and indirectly selected 
35 addresses as undesirable. 



In accordance with a particularly advantageous 
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configuration of the invention, the format of a cookie 
stored in a client computer includes a first data set 
having data fields for holding the original data of the 
cookie, and a second data set having data fields for 
5 holding additional data which serves for the checking of 
the cookie. Advantageously thereby, the second data set 
may include a first data sub-set having data fields for 
holding the date of creation of the cookie and/or the 
designation of the cookie and/or the description of the 
10 cookie and/or classifying keywords, whereby in a further 
advantageous configuration there is added to the second 
data set of a cookie valid for 'a request made by a browser 
a further data sub- set having information for 
rl classification and protocolling of the request. Thereby it 

W 15 is of particular advantage when the added further data 

5 sub- set contains at least the name and Internet address of 

yi the HTML page directly called up on which the object was 

y, located which initiated the request, and the time point of 

the call . 

3 20 

M' In a further configuration, each cookie or a collection of 

a plurality of cookies can be stored in separate files in 

14 the client computer. In a further advantageous 

configuration of the present invention these files are 
25 transferred to and from at least one further computer, so 
that a client computer has available to it a plurality of 
different cookies valid for one server computer address. 
In particular, in accordance with a particularly 
advantageous configuration, different client computer 
3 0 cookies can be stored in, searched and called up from data 
banks of different Internet server computers, so that 
there are available on a client computer a plurality of 
different cookies valid for one server computer address, 
whereby in accordance with a further configuration of the 
3 5 invention advantageously the selection of a cookie to be 
sent back is effected randomly from a plurality of cookies 
valid for this request. 
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The advantages of the present invention are on the one 
hand the control of cookie transfer via Internet 
connections by the user which is made possible thereby, 
5 and on the other hand to make the return of the cookies 
dependent upon evaluation criteria which can be 
configured. Further, the recording of data for the 
description of the cookie and the initiator of its 
sending, together with the subsequent recording of the 

10 further use of the cookie has the advantage that it can be 
made transparent to the user on which server computers 
what kind of data is collected" about him. The exchange of 
cookies between the individual client computers in 
accordance with the invention makes it possible for the 

15 user to return to selected server computers, alternatively 
to "his" cookies, foreign cookies selected randomly, so 
that the data collected about him is made valueless, 
whereby above all the employment of cookie servers for the 
automatic organisation of the exchange of cookies fpr this 

2 0 purpose creates a world wide basis, extending far beyond 

the circle of acquaintances of one person. 

In the following, the present invention will be described 
in more detail with reference to the accompanying 
25 drawings, in which there is shown: 

Figure 1 schematically an Internet client-server system in 
which the present invention is realised, 

3 0 Figure 2 a schematic diagram of a cookie format in 

accordance with the present invention, 

Figure 3 a flow diagram for explanation of the method of 
administration of cookies in accordance with the 
35 invention, 



Figure 4 a schematic for illustrating the synchronisation 
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of data between a cookie manager and a cookie server 
corresponding to a further preferred configuration of the 
invention. 

Figure 1 shows schematically an Internet client -server 
system for explanation of the establishment of a 
connection of a user in the Internet to a server computer 
in accordance with the present invention. A user 10 
establishes with the aid of the web browser 12 installed 
on his client computer 11 a connection with a server 
computer 17 via the Internet 16. In accordance with the 
present invention there is found on the client a computer 
software product 14, called a cookie manager in the 
following, which is connected in the flow of data between 
the browser and the Internet. This cookie manager analyses 
all data going out from the browser and all data coming in 
from the Internet. If a document sent from the Internet 
contains a cookie this is filtered out by the cookie 
manager and not passed on to the browser. In dependence 
upon the configuration effected by the user, the cookie 
is, if applicable, stored or otherwise is removed. The 
basis for this decision is an evaluation of the cookie as 
desired or undesired. This is determined on the basis of 
the address which sent the cookie, so that the criterium 
for the evaluation of the cookie reduces to whether it was 
sent from a desired address or from an undesired address. 

If one assumes that the user requests documents via the 
Internet in accordance with his desires and inclinations, 
3 0 requests which are directly caused through his actions can 
be considered as desired requests, whilst requests which 
are indirectly caused by his actions, such as for example 
the subsequent loading of elements or object contents of 
the web page called up by him, can be considered as 
35 undesired. In order to recognise whether a cookie was sent 
by a request caused directly by a user action or was sent 
indirectly due to the subsequent loading of elements to 
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the client, it may be advantageous to integrate a part of 
the cookie manager in the browser program. With a 
different configuration of the cookie manager, independent 
of the browser program of the client, the cookie manager 
5 detects the address of the first request from the user and 
stores this as desired address. If now a cookie is 
returned to the client from the server computer having 
this first address, the cookie is considered to be desired 
and stored on the client computer. All further requests 

10 automatically following this first request directly 
initiated by the user, likewise cookies possibly sent from 
these addresses, are considered as undesired. In a further 
advantageous configuration of the present invention it is 
checked whether the target of the request is a normal HTML 

15 page or an embedded object, which normally is 
automatically subsequently loaded. In the first case the 
f4 cookie sent from the address is evaluated as "desired" and 

^ the second case as "undesired" . 

Hi 20 The evaluation of a cookie can also be effected via the 

identification of the types of the objects to be loaded. 
m On the one hand, for this purpose the file name extension 

13 of the object to be loaded can be employed, and on the 

J!^ other hand a content type made available by the HTML 

|J 25 standard. Since, however, the content type is only 

contained in the answer from the server, a corresponding 
entry in the second data set of the cookie is effected 
only after reception of the HTML page. 

3 0 For the reliable recognition of the originally called-up 
page, additionally three special cases must be 
distinguished and recognised. If a server has changed ins 
address, there may be connected at the old address a web 
page which directs the browser automatically to call up 

35 the new address. This process, called re-direct, is 
recognised by the cookie manager and the new address of 
the server computer is entered in the use data set 24 
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(Figure 2) . If the web page called-up consists of a 
plurality of partial windows, so-called frames, through 
the request of the user only one page is called up which 
then contains the loading commands for the further pages 
5 which are loaded into the respective frames. The cookie 
manager recognises this special form of follow-up call and 
enters the loading command for the originally loaded page 
in the use data set 24 (Figure 2} of the cookie. By the 
employment of active contents, the server computer can 
10 cause the browser to load additional objects either 
through actions of the user or automatically. If the 
loading of the object is caused by an input of the user, 
the address of the object is entered in the use data set 
of the cookie. If, however, active influence of the user 
15 cannot be determined, and/or if the object is 
automatically loaded, in these two latter cases the 
address of the originally called-up page is entered in the 
use data set of the cookie. The decision criterium is 
based on the assumption that as a rule user actions are 
20 initiated by clicking on a link, i.e. by a reference to 
a another page. Actions of the user can now furthermore be 

^ subject to verification as to whether the address of the 

§m request was contained as a link on a preceding page. If 

the user enters the address directly, the HTTP header line 
'ff 25 "referrer 11 is not present as in the preceding case. The 

entry in the "referrer" can thus be employed as a decision 
criterium. 

If the cookie manager finds a cookie in the incoming data 
30 flow this is, so far as permitted by the configuration 
effected by the user, stored. The storing is effected in 
the cookie format 20 illustrated in Figure 2. This format 
is made up of three different data sets, whereby the first 
data set 21 contains the original data of the cookie as it 
35 was sent from the server computer to the client computer. 
This is followed by a data set 22, the first data sub-set 
23 of which contains data fields relating to the 
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properties of the cookie. This is followed by data sets 
24, which characterise the use of the cookie in the course 
of its employment. The original data set 21 contains data 
fields for holding the name and the value of the cookie, 
those two elements of the cookie which upon request are 
sent back to the server computer which put the cookie in 
place. Further data fields contain the expiry date of the 
cookie, the path part -string and the domain part -spring of 
the server computer address and a remark whether the 
return of the cookie should be effected via a secure 
connection to the server computer. The data set 23, which 
describes the properties of -the cookie, includes data 
fields for holding the creation date, a designation, a 
description and a plurality of data fields which can hold 
keywords for classification of the cookie. If a request is 
directed via the Internet to a server computer address for 
which a cookie is present on the client, and if this is 
permitted by the configuration set up by the user, cookies 
valid for this address are sent back to the server 
computer. In this case the cookie, stored by the cookie 
server in the above -described format, has added thereto a 
new use data set 24 in the data fields of which the date 
and time of the call and the Internet address URL of the 
called-up page are contained and a plurality of daza 
fields with classification information concerning the 
called-up page. In the case of repeated employment of the 
cookie there is again added a further use data set 24, so 
that the sum of the use data sets serves as a record of 
employment of the cookie, or can be evaluated as a source 
of information concerning the information which has been 
collected about the user. 



For classification of the called-up page the data fields 
may contain the result of the above -described 
determination or checking whether this is a desired or 
undesired address. In general the entry in the referrer 
can also be contained in one of these data fields for 
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determining the page actually called-up. 



Figure 3 shows the effect of the cookie manager on the 
cookie mechanism in the case of a request of the browser 
5 to a server computer. If the browser starts a request to 
the Internet in a step SI, the cookie manager checks in a 
step 82 whether a valid cookie is available for the 
requested address. If this is not the case, the request is 
passed on to the Internet in a step S8. If a cookie is 
10 available, in a step S3 the configuration set by the user 
is checked, and possibly the user is directly queried. If 
the result of the check is" negative, the processing 
branches to step S8 and the request of the browser is 
O passed on to the Internet without a cookie being appended. 

^ 15 If the result of the checking was positive, it is 

|^ determined in a step S4 whether the original cookie or an 

m alternative cookxe wrth misleading information should be 

employed, which in this case is loaded in a step S5. In 
|p both cases, in a subsequent step S6, there is added to the 

* 2 0 cookie format a further use data set 24, and finally in a 

J| step S7 the name and value of the cookie is integrated in 

|3 the request of the browser and in step S8 passed on to the 

M 5 Internet . 

PI 

?™* 

2 5 If the user configuration is restricted only such that no 
cookie is to be sent to an undesired address, this solely 
has the consequence that the operators of centralised data 
banks for the collection of identity- related information 
can receive no further information about the user. 

30 Information already collected remains, however, authentic. 
The monitoring of the user, illegal in many countries, can 
however be best countered in that deliberately misleading 
information is fed into these central data banks . The 
operators of advertising servers assume that each cookie 

35 is stored only on exactly one computer. In other words, if 
a server computer receives a cookie together with a 
request, it assumes that it reflects the identity of the 
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user. If, instead, there is returned a cookie with the 
identity for another user, the data set in the central 
data bank for the collection of identity- related 
information becomes unusable. Further, for the operator of 
such a data bank, it is not directly recognisable which 
entries in his data bank have been made misleading. In the 
case of a widespread use of the cookie manager, the entire 
data bank of the operator would be made virtually 
worthless, since potentially every entry could be 
misleading. In order to make this possible, in a further 
configuration of the present invention, the possibilities 
of configuration by the user are so extended that if he 
for example wishes to be recognised as a user with very 
particular characteristics, he allows the data of the 
original cookie to be send back to the server computer or 
in the case of an undesired address he can indicate 
whether for this connection no cookie should be returned 
or a suitably randomly chosen cookie of another user 
should be returned. 

The cookie manager administers the cookies such that for 
each address of a server computer an arbitrary number of 
cookies can be alternatively used. Thereby the use of 
cookies of different clients is effected through random 
choice via an import and export interface of the cookie 
manager. Each cookie or a collection of many cookies can 
be stored in external files and thus easily transferred to 
other computers. The transfer may be effected e.g. by e- 
mail or via the computer of a local area network LAN. In 
accordance with a particularly advantageous configuration 
of the present invention, the exchange of cookies can be 
effected via so-called cookie servers, by which means 
cookies can be exchanged worldwide, beyond the circle of 
acquaintances of one person. By a cookie server there is 
to be understood a computer which is connected to the 
Internet and receives cookies from cookie managers and 
returns alternative cookies to these cookie managers. 



These uploads and downloads may thereby be effected 
directly between the individual cookie managers . and the 
cookie server or servers via a special Internet interface 
15, 18. The cookies received in the above-described format 
from the cookie manager are saved on the cookie server in 
a data bank. Search functions defined on this data bank 
make possible a targeted selection of cookies with 
particular characteristics and the automatic downloading 
of cookies for the connection with a particular server 
computer. So that operators of central data banks for the 
collection of identity-related data cannot efficiently 
query the cookie server, in order for example to be able 
to identify misleading data entries in their data bank, no 
search functions relating to the cookie name and/or the 
cookie values are present on the cookie server. Further, a 
cookie is only passed on to a restricted number of users ; 
if this number is exceeded, the cookie is either deleted 
or blocked. This prevents a server computer from 
recognising "its' cookies and reacting appropriately. For 
this reason, in a particularly advantageous configuration 
of the present invention, a plurality of independent, at 
least in part not publicly known cookie servers, deal with 
the exchange of alternative cookies. The individual 
cookies are held on a cookie server only for a restricted 
span of time and after expiry thereof deleted. By these 
means it is ensured that no information concerning 
individual users could collect on a cookie server, in 
particular also in that each cookie manager exchanges its 
cookies with a series of servers, and thus each cookie 
server holds only a fraction of the use data. 

The protection of user information can be achieved in a 
further configuration of the present invention in that 
each cookie manager is so configured that only an 
arbitrary portion of the fields in the use data set is 
transferred to the cookie servers, so that a user is not 
compelled to pass on his use data to a cookie server which 
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for him is perhaps not completely trustworthy. In order to 
ensure the trustworthiness of a cookie server, this should 
authenticate itself with the employment of digital 
certificates, for the cookie manager. A further 
possibility for the protection of user data, which can 
also be employed in addition to what is described above, 
is access to the cookie server via anonymiser services. 
Since most available anonymiser services work on the basis 
of the worldwide web or e-mail, the Internet interface 
should be so designed that it can be tunnelled using these 
protocols . 

If a cookie is simultaneously stored in many cookie 
managers, naturally in each case only the locally arising 
use data 24 is added. In other words, the same cookies 
manifest, due to their employment on different clients, 
different use data sets, and thereby only an incomplete 
image of their complete employment. In order to complete 
the protocolling of the employment of a cookie, the cookie 
server has the possibility for synchronising the data. The 
corresponding synchronisation mechanisms are supported 
both by the cookie managers and also by the cookie 
servers. Also special Internet interface 15, 18 via which 
the exchange of the cookies is effected between the cookie 
managers and the cookie servers, supports corresponding 
functions of the synchronisation mechanism. 

In Figure 4 there is illustrated the case in which a 
cookie manager transfers a cookie 20 to a cookie server 40 
and in the reply of the cookie server to the cookie 
manager the data sets not yet contained in this cookie are 
send back, in order to determine these data sets, the 
synchronisation mechanism of the cookie server compares in 
a first step S10 the use data sets of the cookie 20 
transferred from the cookie manager with those of the 
cookie 20 ' present on the server and forms, if the two use 
data sets are different, in a synchronisation step Sll the 
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sum of both use data sets and removes from this sum of the 
use data sets which were already contained in the cookie 
transferred from the cookie manager. The user thus obtains 
a comprehensive overview of the employment of the 
corresponding cookie. By the alternative employment of 
randomly selected cookies of others users throughout the 
world, the user profiles in data banks for storing 
identity-related information on the corresponding Internet 
server computers are mixed in such a manner that the 
operators of such data banks cannot recognised misleading 
data entries and the stored data is thus potentially 
valueless for them. 



